SCIENTIFIC 

REPORTS 




OPEN 



SUBJECT AREAS: 

QUANTUM 
INFORMATION 

OTHER PHOTONICS 



Received 
11 December 201 3 

Accepted 
4 April 2014 

Published 
23 April 2014 



Correspondence and 
requests for materials 
should be addressed to 
S.-H.S. (shsunl983@ 
126.com) 



Hacking on decoy-state quantum key 
distribution system with partial phase 
randomization 

Shi-Hai Sun 1 , Mu-Sheng Jiang 1 , Xiang-Chun Ma 1 , Chun-Yan Li 1 & Lin-Mei Liang 1 - 2 

1 Department of Physics, National University of Defense Technology, Changsha 41 0073, P. R. China, 2 State Key Laboratory of High 
Performance Computing, National University of Defense Technology, Changsha 41 0073, People's Republic of China. 

Quantum key distribution (QKD) provides means for unconditional secure key transmission between two 
distant parties. However, in practical implementations, it suffers from quantum hacking due to device 
imperfections. Here we propose a hybrid measurement attack, with only linear optics, homodyne detection, 
and single photon detection, to the widely used vacuum + weak decoy state QKD system when the phase of 
source is partially randomized. Our analysis shows that, in some parameter regimes, the proposed attack 
would result in an entanglement breaking channel but still be able to trick the legitimate users to believe they 
have transmitted secure keys. That is, the eavesdropper is able to steal all the key information without 
discovered by the users. Thus, our proposal reveals that partial phase randomization is not sufficient to 
guarantee the security of phase-encoding QKD systems with weak coherent states. 

Quantum key distribution (QKD) 1 admits two remote parties (Alice and Bob) to share unconditional 
secure key based on the principle of quantum mechanics 2 ' 3 , which has been demonstrated in experiments 
with long distance and high repetition rate 4-7 . However, the practical QKD system will suffer from 
quantum hacking due to device imperfections 8 " 15 , then the unconditional security of QKD is compromised. In 
practical QKD systems based on BB84 protocol, the weak coherent source (WCS) is often used to replace the 
single photon source which is unavailable within current technology. However, the WCS contains multi-photon 
pulse with nonzero probability which will cause the photon-number-splitting (PNS) attack 1617 , then the maximal 
secure distance of practical QKD system will be limited in tens of kilometers. Luckily, decoy state method 18 " 21 can 
efficiently overcome this problem, and extend the secure distance of QKD to hundreds of kilometers. 

When the phase of WCS has been totally randomized, the source is a mixed state of all number states, and the 
channel between Alice and Bob can be considered as a photon number channel. Then, the key rate is given by the 
GLLP formula 3 , 



(1) 



where q = 1/2 for the standard BB84 protocol, H 2 (x) is binary Shannon entropy, /(£J is the error correction 
efficiency. and are the total gain and QBER, which can be measured in experiment. Y[ and e j 7 are the lower 
bound of yield and upper bound of QBER for single photon pulses, which must be estimated by Alice and Bob 
according to their measurement results. In fact, the main contribution of decoy state method is that it can give out 
the tight bound of Y Y and e x with finite resources. For instance, the weak + vacuum decoy state method is enough 
for the legitimate parties to tightly estimate the yield and QBER of single photon pulses, in which Alice randomly 
sends three kinds of pulses with different intensities, signal state fi, decoy state v, and vacuum state. After the 
communication, Alice and Bob calculate the total gain (Q^, Q v and Q vac ) and QBER (E^, E v and E vac ) in 
experiment, then they estimate the lower bound of yield {Y[) and the upper bound of QBER (ej 7 ) for the single 
photon pulse, which are given by 21 
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Obviously, the phase randomization is the base of decoy state method. However, in practical situations, this 
assumption may not hold, since Eve may have some prior information about the random phase of source. For 
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example, in two-way systems, the source is totally controlled by Eve, 
thus she can exactly know the phase of source; or in some systems, 
the pulse is generated by cutting off the coherent laser with a intensity 
modulation, and there may exits phase relationship among different 
pulses. In fact, some potential attack on source had been pro- 
posed 915 ' 22 . In Ref. 22, Lo and Preskill pointed out that the phase 
randomization assumption is necessary for the security of BB84 
protocol using WCS, and obtained the key rate formula with non- 
random phase. In Ref. 15, Tang et al. proposed and demonstrated an 
attack, based on a linear-optic unambiguous state discrimination 
measurement and PNS, to show that the security of a QKD system 
with nonrandom phase will be compromised. In Ref. 9, our group 
proposed an attack to show that the QKD system is still insecure even 
if the phase of source is partially randomized, but it is invalid for the 
widely used weak + vacuum decoy state method (their attack is only 
valid for the special one- decoy state method in some parameter 
regimes). 

In this paper we propose a more powerful hybrid measurement 
attack, with only linear optics, homodyne detection, and single 
photon detection (SPD), to the widely used vacuum + weak decoy 
state QKD system when the phase of source is partially randomized. 
Here partial phase randomization means that the phase of source is 
randomized within the range of [0, 3), where 3 < 2n. Note that 3 = 0, 
3 <2n and 3 = 2n represents unrandomization, partial randomiza- 
tion and total randomization, respectively. When the phase of source 
is just partially randomized, the photon number channel assump- 
tion, which is the base of the decoy state, is invalid, then Eve can use 
this information to enhance her ability to spy the secret key. Our 
analysis shows that the proposed attack would result in an entangle- 
ment breaking channel but still be able to trick the legitimate users to 
believe they have transmitted secure keys. That is, the eavesdropper is 
able to steal all the key information without noticed by the users. 
Thus, our proposal reveals that partial phase randomization is not 
sufficient to guarantee the security of phase-encoding QKD systems 
with coherent states. 

Furthermore, we remark that, recently, the measurement device 
independent (MDI-) QKD is proposed 23 and demonstrated 24,25 to 
exclude all the detection loopholes, but it requires that the source 
can be fully characterized. Specially, when WCS is used in practical 
MDI-QKD sytems, it also needs to ensure that the phase of source is 
totally randomized, otherwise, the decoy state method (weak + 
vacuum decoy state method) 26 " 29 can not be applied to estimate the 
key rate. Thus we think that our work is also significant for the MDI- 
QKD. 



Results 

A diagram of our hybrid measurement attack is shown in Fig. 1. Eve 
first splits Alice's pulses (both r and s) into two parts with a beam 
splitter (BS). Without loss generality, here we assume the transmit - 
tance of BS is 1/2, and label the reflected part as a and transmitted 
part as b. For the part a, Eve lets r and s to interfere with an asym- 
metry interferometer, then she records the results with two single 
photon detectors (D 0 and D x ). For the part b, Eve generates a strong 
reference pulse (LO pulse) with her own laser diode (LD), and ran- 
domly modulates a phase {<j) e = 0, n/2) on the LO pulse with a phase 
modulator (PM). Then she lets s to interfere with the LO pulse, and 
records the results with a homodyne detection which is composed 
with two photodiodes (d 0 and d\) and a subtracter. Note that, r is 
neglected in homodyne detection part, since it does not carry the 
encoding phase of Alice. Furthermore, excepting phase information, 
the LO pulse generated by Eve should be indistinguishable with the s 
in frequency, polarization and other dimensions. We think it is pos- 
sible for Eve to generate the indistinguishable pulse with Alice, since, 
excepting phase information, other characters of Alice's laser are 
excluded in the secure model of Alice and can be known by Eve. 

Now we give an explanation of our attack and show that it can be 
applied to the widely used weak + vacuum decoy state method. In 
BB84 protocol with WCS, the state of Alice can be written as 
jae'^+^/V^) |oce^/\/2) , where a is real and \ot\ 2 = n is the intens- 
ity of Alice's pulse, 6 = {0, n/2, n, 3n/2] is the encoding phase of Alice, 
(j> G [0, 3) is the random phase of source and 3 is the range of phase 
randomization. According to the measurement theory, the probabil- 
ity that D 0 and D x click in the single photon detection part and 
measurement result x is obtained in the homodyne detection part 
are given by 

P Do = l-(l-Y*)e-^+«*(W\ 
p Di = 1 - (l - y£) e -w £ [i-««(e)]/4 5 

(3) 

P x (0Me) = ^ e -*-^ cos(e+ *-^ 2 f/ K K 

y 71K E 

where Yq{v\ e ) is the dark count (detection efficient) of Eve's SPDs, <j> e 
= 0, n/2 is the phase modulated by Eve on the LO pulse with PM, k e 
and X E represent the imperfection of Eve's homodyne detection (k e 
= k E = 1 for perfect homodyne detection). 

According to Eq.3, P Do and P Dl are independent on the random 
phase (j), but P x (0, <j>, (j) e ) depends on (/). Since Eve has no prior 
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Figure 1 | The diagram of the hybrid measurement attack. r(s) is the signal (reference) pulse of Alice. BS: beam splitter with transmittance 1/2; D 0 
and D x are single photon detectors (SPDs); do and d x are photodiodes; x is the output of homodyne detection; LD: laser diode which is used by Eve to 
generate the reference pulse (LO pulse) of homodyne detection; PM: phase modulator which is used by Eve to modulate a phase (0 or n/2) on LO. Jr.Eve 
has the same equipments as Alice, which is used to resend faked states to Bob according to her measurement results. Note that, Eve measures both rand s of 
Alice with a interferometer in the single photon detection part, but she only measures the phase information of s in the homodyne detection part. 
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Figure 2 | (a)The theoretical distribution of x for different encoding phase of Alice, which are drawn according to Eq.4. Here we assume (j) e = 0, 
3 = 7i/4 and /u = 0.3. (b) The error rate of Eve and Bob under our attack, which are drawn according to Eq.7. The solid line shows the error rate between 
Alice and Eve, and the dashed line shows the error rate between Alice and Bob. Here we set 3 = 10°, ocq = 1.5, and assume that the detection setups of both 
Alice and Bob are perfect. 



information about <j> excepting that <j> 
distribution of x should be written as 



[0, 5), thus the probability 



' d<t> 



(4) 



The theoretical distribution of x is shown in Fig. 2(a), which clearly 
shows that Eve can use x to distinguish encoding phase of Alice. 
For example, Eve can set a threshold (x 0 > 0), when the measured 
x is larger than x 0 , she judges that 0 = 0, and when x < —x 0 , she 
judges that 0 = n, otherwise (— x 0 < x < x 0 ), she randomly guess 
Alice's bit. Note that, in BB84 protocol, Alice randomly chooses 
her phase from two bases, thus Eve also should randomly modulate 
a phase {<j) e = 0, nil) on the LO pulse with a PM to judge which 
basis is used by Alice. In fact, this part is the same as the partially 
random phase (PRP) attack proposed by our group 9 , however, the 
PRP attack is invalid for the weak + vacuum decoy state method 
due to the fact that the homodyne detection will export a successful 
result (x > x 0 or x < —x 0 ) with high probability, even if a vacuum 
state is sent by Alice, thus the total gain and QBER are much larger 
than the expectation of Bob without Eve. In order to reduce the 
disadvantage of homodyne detection, we introduce an additional 
measurement for Eve. Eve uses an interferometer and two SPDs to 
judge whether there is photon in Alice's pulse or not. Only when 
one of her SPD clicks, she resends a faked state to Bob, otherwise, 
she resends a vacuum state to Bob. Therefore, the mapping from 
Eve's measurement results to the phase of her faked state (9 e ) is 
given by 

x > x 0 and P Do click -> 0 e = 0, 
= 0 ^ x < — Xo and Pd 1 click — ► 0 e = 7i, 

otherwise vacuum pulse. 

x > Xq and P Do click -^0 e = n/2, 
x <— x 0 and P Dl click -^6 e = 3n/2, 
otherwise vacuum pulse. 

And the conditional probability that Eve resends the state with 
phase 0 e = kn/2 (k = 0, 1, 2, 3) given that Alice sends a state 
with phase 0 is given by 



(5) 
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Thus, when Eve is present, the probability that she successfully 
obtains a measurement event, the QBER between Alice and Bob 
(e AB ), and the QBER between Alice and Eve (e^) are given by 
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where effi is the error rate introduced by Eve's faked state with 
phase jn/2 given that Alice's phase is 9 = jn/2. is the error rate 
of Eve for given k and j. The error rate e** and are shown in 
Fig. 2(b), which clearly shows that the error rate between Alice and 
Eve is much smaller than the error rate between Alice and Bob. 
Here we remark that although is smaller than e**, it does not 
means no secret key can be derived due to the fact that post- 
processing is not symmetric between Eve and Bob. In fact, if we 
want to show our attack is succeed and the QKD system is insec- 
ure, we must show that the lower bound of the estimated key rate 
given that Eve implements her attack but the legitimate parties 
ignore it is larger than the upper bound of key rate under the 
given attack 15 . For example, our analysis shows that, when our 
attack is implemented but the legitimate parties ignore it, the esti- 
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Figure 3 | The estimated key rate of Alice and Bob under our attack. But in fact, the key are insecure, since our attack corresponds to an 
entanglement-breaking channel and no secret key can be generated under this channel. Here we also show the equivalent channel length of Q^, defined as 
len = —(10/ a) logi 0 {min(l, Q^IifirjBob)} ( a = 0-21 is the loss of standard fiber), which represents the minimal channel length of Alice and Bob that 
Eve can successfully load our attack. In the simulations, we assume that the SPD and homodyne detection of Eve are perfect, and set j{E^) = 1.22, 
Y 0 = 1.7 X 10" 6 , f] Bo b = 0.045, fi = 0.48, and v = 0.1 according to the experimental results of Ref. 6. 



mated key rate per pulse by Alice and Bob can be larger than 10" 3 
in some parameters regimes, but in fact our attack belongs to 
intercept-and-resend attack (Eve measures all the signals and 
resend her prepared pulses to Bob), which corresponds to an 
entanglement-breaking channel and no secret key can be generated 
under this channel. In other words, the upper bound of key rate 
under our attack is zero. Thus all the estimated key are insecure. In 
the following, we give a detailed analysis. 

Since Eve can not distinguish the signal state, decoy state and 
vacuum state, thus we assume that Eve resends a single photon state 
to Bob when she successfully obtains a measurement event. In other 
words, the total gain and QBER under our attack are given by 



Qa> = riRo b PLc+ { l - p Lc 1 lBob)Yo, 

QcdEoj = f] B ob pE succ e Eve + (l -^ucc^Bob) ^0- 



+ vacuum decoy state QKD will be compromised. Our attack shows 
that, in some parameter regimes, when Eve is present, the legitimate 
parties will be cheated and the estimated key rate is still positive, but 
in fact, the generated key are insecure, since our attack belongs to 
intercept-and-resend attack (Eve measures all the signals and resend 
her prepared pulses to Bob), which corresponds to an entanglement- 
breaking channel and no secret key can be generated under this 
channel. Here we remark that, we do not claim our attack is optimal 
for Eve to exploit the partially random phase of source, in fact our 
attack is valid just in some given parameter regimes. However, our 
attack still plays an important role in reminding the legitimate users 
that, phase randomization is necessary to guarantee the security of 



(8) 



0.45 



where w = {fi, v, 0}, Y 0 is the dark count of Bob's SPD, e 0 = 1/2 is the 
error rate of background, and r\ Boh is the transmittance of Bob's 
setups. Pf ucc and e Eve = e** are given by Eq.7 for different intensity 
of pulses. 

By substituting Eq.8 into Eq.l, we can estimate the key rate under 
our attack, which is shown in Fig. 3. It clearly shows that even Eve is 
present, Alice and Bob still can obtain positive key rate. For example, 
when 3 = 10°, the key rate is positive if Eve sets 1.38 < x 0 < 1.63. 
However, these key are insecure in this range, since our attack corre- 
sponds to an entanglement-breaking channel and no secret key can 
be generated under this channel. Furthermore, we estimate the key 
rate for different intensities of signal state and decoy state in Fig. 4, 
which also clearly shows that our attack is valid in some parameter 
regimes. 
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Discussion 

According to the analysis above, we know that when the phase of 
source is partially randomized, the security of the widely used weak 



Figure 4 | The estimated key rate of Alice and Bob for different ju and v 
when Eve is present. In the simulations, we set Xq = 1.5, S = 10°, and other 
parameters are the same as Fig. 3. 
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practical QKD system with WCS, and, instead of calibrating the 
random phase before the communication, they must carefully con- 
sider the phase randomization assumption and ensure that this 
assumption hold in the communication progress, otherwise their 
system may be insecure. 

In the end we discuss three countermeasures. The first one is that 
Alice uses an active phase randomization equipment 30,31 to ensure 
that the phase of source is totally randomized, then our attack is 
automatically removed. Obviously, this method is the best way for 
Alice, since it can remove not only our hybrid measurement attack 
but also other undiscovered attacks based on the random phase of 
sources, but it may increase the complexity of the system, or intro- 
duce other potential and undiscovered loopholes. Note that even an 
active phase randomization equipment is used by Alice, it is still 
necessary for her to check the degree of phase randomization in 
the communication program (but not calibrate it before the com- 
munication) to ensure that the phase of source is really randomized 
in [0, 2n) and Eve does not break the efficiency of her active phase 
randomization equipment. The second one is that the legitimate 
parties carefully design the system parameters to ensure that Eve 
can not load our attack in these parameter regimes. This method is 
valid for our hybrid measurement attack, since they know which 
parameter regimes are secure if they clearly know the parameters 
of their system, but there may exist other potential hacking strategies 
so that Eve can also exploit the partially random phase to spy the final 
key in other parameter regimes. The third one is that the legitimate 
parties carefully monitor the experimental data but not only estimate 
the key rate with these experimental data. For example, they can 
check the rate of gain Q^/Qv In the parameters of Fig. 3, Q^/Q v ~ 
fi/v = 4.8 when Eve is absent, but this rate will be changed to Q^l Q v ~ 
7.79 when Eve is present, which is higher than the expectation 4.8. 
Furthermore, they also can monitor, with a prior information about 
the loss of channel, the total gain adn QBER of signal state and decoy 
state, and so on. 

Method 

Here we give a simple proof of Eq.3. The state out of Alice can be written as 

| ae # + e )y/ (g) jae^y/ , when the two modes pass the BS of Eve (here we 

simply assume the transmittance of BS is 1/2, in fact Eve can optimize this parameter 
to maximize her information), the final states are 
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If the interferometer of Eve is perfect, the state output of the interferometer can be 
written as 



Thus if the SPD of Eve is also perfect, the probability that D 0 and D x click is 
given by 



(10) 
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Furthermore, for a coherent state |a), the probability distribution of the measured 
result of homodyne detection can be written as 9 
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where 6 is the relative phase of signal pulse and local pulse. Thus, it is easy to obtain 
the third equation of Eq.3 for the mode bs. 
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